Top 3 Security Threats for Banks – And How to Address Them

How can banks mitigate their biggest security risks in a rapidly changing fraud landscape?

Financial institutions have many options when it comes to protecting customer transactions, including advanced software products able to pass stringent security standards to prevent data loss. But like any other business, banks’ chief vulnerability point from an operational standpoint is their people, particularly in the bring-your-own-device (BYOD) era.

Banks are hard-pressed to control the business use of personal devices and monitor security practices for an increasingly mobile workforce, but there are steps managers can take to rein in the risks. Here are the top three security threats banks and other businesses face and ideas on how managers can mitigate them with better cyber security practices:

1. Weak passwords. Despite many advances in security technology, the password is still the first line of defense for most bank PCs, laptops, and personal mobile devices that are used for business. Unfortunately, many employees still use easy-to-guess passwords, such as their job titles, children or pet’s names, birth years, and other personal information that anyone can find on sites like Facebook.

Bank managers should educate employees on proper password protection methods, such as creating memorable yet difficult-to-crack passwords. One proven technique is to use a combination of upper and lowercase letters, symbols, and numbers. Strong passwords incorporating those elements can also be easy to remember if the employee uses symbols and numbers that resemble letters in a simple password, such as “Fri$b33” for “Frisbee.”

2. Lack of training. Bank employees who use weak passwords and fail to take basic security precautions generally don’t mean any harm; typically, they just don’t fully understand the risks. And while bank managers are primarily concerned with the possibility of company data falling into the wrong hands, employees who use personal devices for company business are also putting their own information at risk, including bank account numbers and e-commerce accounts.

To address these risks, bank managers can hold training sessions, providing employees with the basic knowledge they need to safeguard data and secure their devices. The training curriculum could cover fundamentals such as techniques for creating secure passwords, including automated password management systems. It can also include ways to avoid keylogger scams and phishing cons and information on how to protect devices against viruses and malware.

3. Lack of accountability. The BYOD trend only started in earnest fairly recently, so many financial institutions are still catching up. Most have formulated policies to govern employees’ use of personal devices for business purposes as well as routine use of company-owned technology assets, but many don’t have a system in place to hold employees accountable.

To remedy this situation, bank managers can ask employees to read and sign a written statement acknowledging that they understand the company’s policy on cyber security and agree to comply with best-practices, preferably after receiving training from the company or reviewing detailed policy guidelines that include tips on keeping data and devices safe. The policy should also include directions on how to ask for support.

Financial institutions tend to focus on transactional security compliance, which is unquestionably important. But bank employees are just as vulnerable to hackers and data breaches in their day-to-day business operations as staff at other types of companies.

For that reason, it’s important to encourage better security practices, particularly since the BYOD trend has expanded the risks. By identifying the most pressing vulnerabilities -- and taking steps to mitigate them -- banks can operate more safely and protect data and devices.

Bill Carey is the Vice President of Marketing and Business Development at Siber Systems(RoboForm). Siber Systems is a leading enterprise in making software products planned to give a better and secure experience to users. Bill is an advocate for the importance of ... View Full Bio

Oh, and #3? Having an employee sign a BYOD agreement does little to protect the bank. Users never read the usage agreements they sign and if data is compromised it is still the banks responsibility to clean up the mess, not the employee.

Users (both internal and external) are a bank's worst enemy when it comes to cyber-defenses. Users hate passwords, despise complex passwords and are always losing their BYO devices. Finding a way to make it all work is a challenge and it will be a battle between "ease of use" and "security" that will go on for years.

I agree, these are all good ideas that banks should keep in mind. Enforcing basic security measures doesn't have to be complicated - as shown in point #1, even something as simple as changing password letters to symbols can make a difference.